[Freeipa-devel] [PATCH 0014] Support multiple user and host certificates
Martin Basti
mbasti at redhat.com
Wed May 27 16:12:50 UTC 2015
On 27/05/15 15:53, Fraser Tweedale wrote:
> This patch adds supports for multiple user / host certificates. No
> schema change is needed ('usercertificate' attribute is already
> multi-value). The revoke-previous-cert behaviour of host-mod and
> user-mod has been removed but revocation behaviour of -del and
> -disable is preserved.
>
> The latest profiles/caacl patchset (0001..0013 v5) depends on this
> patch for correct cert-request behaviour.
>
> There is one design question (or maybe more, let me know): the
> `--out=FILENAME' option to {host,service} show saves ONE certificate
> to the named file. I propose to either:
>
> a) write all certs, suffixing suggested filename with either a
> sequential numerical index, e.g. "cert.pem" becomes
> "cert.pem.1", "cert.pem.2", and so on; or
>
> b) as above, but suffix with serial number and, if there are
> different issues, some issuer-identifying information.
>
> Let me know your thoughts.
>
> Thanks,
> Fraser
>
>
Is there a possible way how to store certificates into one file?
I read about possibilities to have multiple certs in one .pem file, but
I'm not cert guru :)
I personally vote for serial number in case there are multiple
certificates, if ^ is no possible.
1)
+ if len(certs) > 0:
please use only,
if certs:
2)
You need to re-generate API/ACI.txt in this patch
3)
syntax error:
+ for dercert in certs_der
4)
command
ipa user-mod ca_user --certificate=<ceritifcate>
removes the current certificate from the LDAP, by design.
Should be the old certificate(s) revoked? You removed that part in the code.
only the --addattr='usercertificate=<cert>' appends new value there
--
Martin Basti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150527/f95a5c55/attachment.htm>
More information about the Freeipa-devel
mailing list